Hi Phil, This is my first post to this list (as far as I remember). Firstly may I say a great many thanks to all who help maintain this great email server. I have used Exim for the past 10 years with few issues. I have never felt the need to post before (The book is so good). But I would just like to query one thing Re the new 4.80.1 security release:
I always use the Exim RPMs at the Atrpms repo but they seem not to have the updated or patched package for Centos 5 Re this update. So I have decided to use the workaround you announced here: https://lists.exim.org/lurker/message/20121026.080330.74b9147b.en.html Quote: "put this at the start of an ACL plumbed into acl_smtp_connect or acl_smtp_rcpt: warn control = dkim_disable_verify" My (probably silly) question is: Is there anything wrong with me adding 'warn control = dkim_disable_verify' under my 'acl_check_rcpt:' line if I have also have 'control = dkim_disable_verify' stated separately against each 'accept' in the ACL below it thus ? : -------------------------------- acl_check_rcpt: warn control = dkim_disable_verify # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by # testing for an empty sending host field. accept hosts = : control = dkim_disable_verify deny message = Restricted characters in address domains = +local_domains : +relay_to_domains local_parts = ^[.] : ^.*[@%!/|] deny message = Restricted characters in address domains = !+local_domains : !+relay_to_domains local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ require verify = sender accept hosts = +relay_from_hosts control = submission control = dkim_disable_verify accept authenticated = * control = submission control = dkim_disable_verify require message = relay not permitted domains = +local_domains : +relay_to_domains require verify = recipient accept -------------------------- My guess is that I can happily remove the three 'control = dkim_disable_verify' lines under each 'accept' that were there in the default conf file so long as I retain my 'warn control = dkim_disable_verify' at the top of the ACL ? But also that I was covered before in any case by having 'control = dkim_disable_verify' stated under each 'accept' ? Hope that makes sense, Best regards, Mike. On 2012-12-03 01:21, Phil Pennock wrote: > On 2012-12-02 at 18:33 +0000, Jeremy Harris wrote: > > On 10/26/2012 09:35 AM, Phil Pennock wrote: > > > [...] a remote code > > > execution hole in Exim, affecting releases 4.70 to 4.80, in the DKIM > > > handling. This can be triggered by anyone who can send you email from a > > > domain for which they control the DNS, and gets them the Exim run-time > > > user. > > > > Should this be added to https://github.com/Exim/exim/wiki/EximSecurity ? > > Er, yes. Done. > > Also, updated https://github.com/Exim/exim/wiki/EximRelease so that this > doesn't get skipped in future. > > Thanks, > -Phil > > -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
